I am currently working with an iPhone 4s from a homicide investigation. The phone is not password protected but Cellebrite Physical and Oxygen Standard are unable to process it. Each tool gives me a message stating that the iTunes Backup Files are password protected.

Using Elcomsoft's phone password breaker you could try and bruteforce attack the Manifest.plist file which is contained within the backup. There is also the option to wordlist attack the file as well.
Unfortunately if you are searching for more than 5 characters in your password you may have a long wait!

I'm not sure if it's the same thing, but I had a weird issue where Oxygen password protected the iTunes backup I made along with any subsequent backups I attempted to make. I then attempted to crack the backup with Elcomsoft's password breaker and it was successful! The password it came up with was "oxygen" - obviously not created by the user. I'm not really sure why this happened but there you go. In doing some research I saw that others had had similar issues where it would randomly assign a password on the backup.

I just Googled Jonathan Zdziarski. Pity I'll never get to use his iOS tools, but see that he's got a rather interesting blog: "The Case for Assault Weapons", "Pawns in a Political Country", "A Few Words on God" are a few recent topics.
_________________Forensic Controltwitter.com/ForensicControl
Studio 314, Vox Studios, 1-45 Durham Street, London, SE11 5JH

I am currently working with an iPhone 4s from a homicide investigation. The phone is not password protected but Cellebrite Physical and Oxygen Standard are unable to process it. Each tool gives me a message stating that the iTunes Backup Files are password protected.

Cellebrite Physical acquisition on a iPhone 4S is not possible, only a Logical or File System extraction can be made on this handset model.

- randomaccess

i wouldnt jailbreak to get the keychain password unless you have to

Even if you were to obtain the keychain by jailbreaking method, wouldn't the keychain be impossible to crack, with the Python "decrypto" module, as Apple changed the AES encryption algorithm when it went to iPhone 4S.

iPhone 4S shipped with iOS5, so now all attributes are now encrypted. On the encryption side, AES-GCM is used instead of AES-CBC. (AES-GCM is included in NSA Cryptography) Any partition on the phone can be encrypted and there are new protection classes- NSFileProtectionComplete.

I've found XRY will read in a iPhone 4S, that is running in encrypted mode, where it will read in the iTunes backup data first, note its encrypted & carry on to read the rest of the data on the phone. After a XRY dump, latest version has modules added in that can decrypt certain data that has been read in- SMS, MMS, Pictures, etc. Cellebrite & presumably Oxygen can't overcome this first step during the "Read Phone Info" stage.

What about syncing the exhibit to a virtual image of the computer, fire up iTunes, de-select the option to encrypt backup, re-sync the phone to iTunes with the encryption de-selected & see how this goes.